CVE-2021-30181

CRITICAL

Apache Dubbo <2.6.9-2.7.9 - RCE

Title source: llm

Description

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

Exploits (1)

nomisec STUB

by shoucheng3 · poc

https://github.com/shoucheng3/apache__incubator-dubbo_CVE-2021-30181_2-6-8

View Code ZIP pw:eip

References (1)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0387

EPSS Percentile 88.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (3)

apache/dubbo 2.5.0 - 2.6.10

com.alibaba/dubbo 2.5.0 - 2.6.9Maven

org.apache.dubbo/dubbo 2.5.0 - 2.7.10Maven

Published Jun 01, 2021

Tracked Since Feb 18, 2026